VMware Cloud Community
nirajrocks
Contributor
Contributor

Lost Master Password

Hi Everybody,

I am in a very situation here. We have a very old VMWare On-Prem system having hosting VMware 5.1. Now the problem is that the person who initially set it up never documented the master password and now I am in a phase of migrating my VMWare to a new network with a different hostname. Now, when I migrated my cluster master to the new network and spin up the VM. The services won't start because it does not match the server name. What i would like to know is:

1. Is there a way (official or non-official) to reset the master password?

2. What is the difference between an admin password and master password?

3. Can I update my certificates using admin password? I know this one. I am using the ssl-automation.bat tool

4. Will re-installing vmware fix the problem? If Yes, will it affect the current infrastructure? Will my VM's get deleted?

vspher log: ( xxxxxxxxx is my new hostname )

2019-09-21T12:13:54.749-07:00 [05764 info 'dbdbPortgroup'] [VpxdInvtDVPortGroup::PreLoadDvpgConfig] loaded [0] dvpg config objects

2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][SsoFactory_CreateFacade]'] Solution user set to: vCenterServer_2012.10.01_170440

2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][SsoFactory_CreateFacade]'] VC's ServiceId in LookupService: {EF737C67-B22A-492D-9F46-F747BC43733C}:7

2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][SsoFactory_CreateFacade]'] STS URI set to: https://xxxxxxxxx:7444/ims/STSService?wsdl

2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][SsoFactory_CreateFacade]'] Admin URI set to: https://xxxxxxxxxxx:7444/sso-adminserver/sdk

2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][SsoFactory_CreateFacade]'] Groupcheck URI set to: https://xxxxxxxxxxx:7444/sso-adminserver/sdk

2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][SsoFactory_CreateFacade]'] VC SSL certificate location: C:\ProgramData\VMware\VMware VirtualCenter\ssl\rui.crt

2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][CreateSsoFacade]'] [CreateUserDirectory] STS URI set to: https://xxxxxxxxxxxxxxxx:7444/ims/STSService?wsdl

2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][CreateSsoFacade]'] [CreateUserDirectory] Admin URI set to: https://xxxxxxxxxxxxxx:7444/sso-adminserver/sdk

2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][CreateSsoFacade]'] [CreateUserDirectory] Groupcheck URI set to: https://xxxxxxxxxxxxxxxx:7444/sso-adminserver/sdk

2019-09-21T12:13:55.015-07:00 [01620 info 'Default'] Thread attached

2019-09-21T12:13:55.016-07:00 [04832 info 'Default'] Thread attached

2019-09-21T12:13:55.016-07:00 [04716 error 'Default'] SSLStreamImpl::DoClientHandshake (000000000ad07790) SSL_connect failed. Dumping SSL error queue:

2019-09-21T12:13:55.016-07:00 [04716 error 'Default'] [0] error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2019-09-21T12:13:55.016-07:00 [04716 error 'HttpConnectionPool-000001'] [ConnectComplete] Connect failed to <cs p:000000000abbf1c0, TCP:xxxxxxxxxxxxxxxxx:7444>; cnx: (null), error: class Vmacore::Ssl::SSLVerifyException(SSL Exception: Verification parameters:

--> PeerThumbprint: 92:82:CD:8E:45:4E:42:89:95:FB:1F:1F:14:B0:55:D7:64:AA:B6:F2

--> ExpectedThumbprint:

--> ExpectedPeerName: xxxxxxxxxxxxxxxxxxxxx

--> The remote host certificate has these problems:

-->

--> * A certificate in the host's chain is based on an untrusted root.

-->

--> * Host name does not match the subject name(s) in certificate.)

2019-09-21T12:13:55.016-07:00 [05764 error '[SSO][SsoFactory_CreateFacade]'] Unable to create SSO facade: SSL Exception: Verification parameters:

--> PeerThumbprint: 92:82:CD:8E:45:4E:42:89:95:FB:1F:1F:14:B0:55:D7:64:AA:B6:F2

--> ExpectedThumbprint:

--> ExpectedPeerName: xxxxxxxxxxxxxxxxxxxxxxx

--> The remote host certificate has these problems:

-->

--> * A certificate in the host's chain is based on an untrusted root.

-->

--> * Host name does not match the subject name(s) in certificate..

2019-09-21T12:13:55.016-07:00 [05764 error 'vpxdvpxdMain'] [Vpxd::ServerApp::Init] Init failed: Vpx::Common::Sso::SsoFactory_CreateFacade(sslContext, ssoFacadeConstPtr)

Regards,

Niraj

Tags (2)
Reply
0 Kudos
7 Replies
sjesse
Leadership
Leadership

If master means vcenter, you can't change the hostname in that version, they only recently made that a possibility. In regards to VMware there is nothing that's a "Master" password, if I'd have to guess your talking about the SSO administrators password

Reply
0 Kudos
IRIX201110141
Champion
Champion

Master?

IIRC in vSphere 5.1 there was a admin@system-domain which is today the administrator@vsphere.local. As long as you have root access to the OS which runs vCenter/SSO you can reset the password for that user.

Changing the FQHN of a vCenter is only in 6.7u3 and later.

Regards,

Joerg

Reply
0 Kudos
nirajrocks
Contributor
Contributor

Thanks for the reply.

Maybe I confused you all. But when I run the SSL automation bat file. It prompts me with an option "enter master password". I enter my admin@System-Domain password and it just fails stating the master password is incorrect. I know that this password works because I can login to vsphere client with this.

pastedImage_0.png

I am just trying to update the certs on it.

Reply
0 Kudos
nirajrocks
Contributor
Contributor

So if I end up re-installing. Will I lose everything?

Reply
0 Kudos
a_p_
Leadership
Leadership

Did you ever change the password? If yes, and you still remember the original password used during the installation, see whether this works.

André

Reply
0 Kudos
johncol
VMware Employee
VMware Employee

how many hosts/vs are involved here? If you setting up a new environment you cannot change the hostname, IMO you would be better off backing up DVS's etc and migratinghosts over  to new environment/5.5. The 5.1 version of SSO was a mare, from memory you may be able to even upgrade to 5.5, I dont think it asks for the master password during this procedure.. even going to 5.5 though you at the end of General Support. VCSA is your friend here

Reply
0 Kudos
alsmk2
Hot Shot
Hot Shot

Do your hosts use standard switches? If so, then just deploy a new VCSA 6.0; zero point messing around with an old VC if there is nothing tied into it other than a run-of-the-mill cluster. Even more so at 5.1 with a windows VC. Those things were absolutely god awful in the extreme.

You just need to be sure that there's nothing else plumbed into it that you'd need to account for (SRM, vsphere replication, etc etc).

1. Deploy vcsa 6.0 to one of the ESXi hosts.

2. Create a Datacentre & cluster on the new VC. Copy the existing cluster settings from the old VC to new.

3. Right-click the new cluster and select add host; add the old hosts to the new VC.

The hosts will show as disconnected on the old VC, but your VM's will continue to run without issue.

4. Rinse / repeat for all hosts.

5. Delete the nasty Windows VC.

Your vmware hosts can be left at 5.1, but I'd factor in upgrading those to 6 if the hardware is supported (and then 6.7 if it is also supported). Couple of hours work if you existing setup is basic. If you do have other apps running that have plugins installed, it's a bit more complicated as you'll need to work out a migration path for them to make sure they continue to run at the correct version for the new VCSA. Still something that should be achievable.

Reply
0 Kudos